CVE-2024-0227 Information

Description

Devise-Two-Factor does not throttle or otherwise restrict login attempts at the server by default. When combined with the Time-based One Time Password algorithm’s (TOTP) inherent entropy limitations it’s possible for an attacker to bypass the 2FA mechanism through brute-force attacks.

Reference

https://github.com/devise-two-factor/devise-two-factor/security/advisories/GHSA-chcr-x7hc-8fp8